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Synopsis 


(U) To set leads at Las Cruces RA and Roswell RA. 

iority"~Reference 
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Reference: Wl 288-HQ-1242560 Serial 52 


Details: On 02/01/1998, the Department of Defense (DOD) 

began detecting computer intrusions into its unclassified 
computer systems at various facilities in the United States. 
These intrusions are ongoing. At least 11 DOD systems are known 
to have been compromised and recovery procedures have been 
initiated. The intruder appears to have targeted domain name 
servers and obtained root status via exploitation of the “statd” 
vulnerability in the Solaris 2.4 operating system. Hacker tools 
imported from a University of Maryland site were used to gain 
entry. The intruder installed a sniffer program and then closed 
the vulnerability by transferring a patch from the University of 
North Carolina. A “backdoor” was created to allow the intruder 
reentry to the system. 
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Intrusions, or intrusion attempts, were detected 
at Andrews Air Force Base (AFB), Columbus AFB, Kirkland AFB, 
Maxwell AFB (Gunter Annex), Kelly AFB, Lackland AFB, Shaw AFB, 
MacDill AFB, Naval Station Pearl Harbor, and an Okinawa Marine 
Corps Base. 

f u > Numerous university computer sites in the U.S. 
appear to have been exploited in a similar fashion. Internet 
service providers near those universities also appear to have 
been exploited to access, or attempt to access, DOD computer 
networks. 

In the referenced communication, FBIHQ requested 
all field offices expeditiously contact all logical sources for 
any information pertaining to intrusions into Air Force domain 
name servers using the "statd” exploit on Solaris 2.4 operating 
systems. 
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LEAD (s) : 

Set Lead Is 

LAS CRUCES RA 

AT ALAMOGORDO. NM 

^ Expeditiously contact the Office of Special 

Investigations ( OSI) at Holloma n AFB, ALAMOGORDO , New Mexico, 
telephone number I 1 or I ~1 Determine if 

they have any information pertaining to intrusions into Air Force 
domain name servers using the “statd" exploit on Solaris 2.4 
operating systems. Respond expeditiously with positive results 
to SSA | lo r SSAI | FBIHQ, NSD/CID, 

CITAC, telephone number | 1 

Set Lead 2: 

ROSWELL RA 

AT CLOVIS. NM 

(U) fyd) Expeditiously contact the Office of Special 
Invest igations (OSI) at Cannon AFB, Clo vis, New Mexico, telephone 
number I 1 or | ~| Determine if they have 

any information pertaining to intrusions into Air Force domain 
name servers using the “statd” exploit on Solaris 2.4 operating 
systems. Respond expe ditiously with posi tive results to SSA 

| o r SSAI I FBIHQ, NSD/CID, CITAC, 

telephone number | ~| 
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